限制访问应用程序负载平衡器的最佳方法是什么？ [英] What is the best way to restrict access to an Application Load Balancer?

问题描述

理想情况下，我想锁定ALB，以便只能由API Gateway对其进行访问。

Ideally, I'd like to lock down my ALB so that it can only be accessed by API Gateway.

我研究了是否可以将API网关与入站规则相关联-但是，我发现API网关无法与IP地址或安全性相关联组。我也研究了面向内部的ALB，但由于VPC链接仅支持NLB，因此无法使它们正常工作。

I've looked into whether I can associate API gateway with an Inbound Rule - however, I have found that API Gateway cannot be associated with an IP address, or a security group. I've also looked into an Internal facing ALB, but I've been unable to get these working as VPC link only supports NLB.

任何帮助将不胜感激-我一直在网关设置中查找，但是找不到该选项。

Any help will be greatly appreciated - I've been looking in the Gateway Settings but cannot find this option.

什么是最好的方法，以便尽可能限制ALB？

What is the best way to approach this so that the ALB is as restricted as possible?

推荐答案

API网关目前没有静态IP，并且ALB除了Cognito用户池以外，不提供任何身份验证。因此，我要说最好的选择是在提议时将VPC链接与Network Load Balancer一起使用，并将请求通过NLB传输到ALB。

The API Gateway doesn't have a static IP and ALBs don't offer any authentication other than Cognito User Pools at this moment. Because of that I would say your best option is to use a VPC link with Network Load Balancer as you propose and tunnel the request via the NLB to your ALB.

或者，您可以在VPC内有一个Lambda来调用ALB，但这会慢很多，但是对于小批量交易来说更便宜，因为您跳过了NLB。

Alternatively you could have a Lambda inside your VPC invoke the ALB but that would be a lot slower, but cheaper for low volumes because you skip the NLB.

这篇关于限制访问应用程序负载平衡器的最佳方法是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！